File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Security issue on app to app communication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Security issue on app to app communication" Watch "Security issue on app to app communication" New topic
Author

Security issue on app to app communication

Andres Delrotti
Ranch Hand

Joined: Aug 11, 2005
Posts: 136

Hello,

This is my problem. We have this website that is run on two web applications. The first web application hosts the home page and clicking certain links in the home page would forward it to pages of the second web application where certain functionalities can be done. Now, there has been an initiative to redesign the site to have a login page and only logged in users could browse it. This would mean a login page being created in the first app, and when links to the second application are clicked, the pages are supposed to forward to it with the same session of the user that logged in.

The planned implementation is:

App 1 calling App2 page: http://somehost/App2/app2servlet?user=encrypteduserinfo

App2 decrypting user field from request and placing it in its session.

Both App1 and App2 uses the same key for encryption/decryption of user info

I know this will work but is security enough? or is there a better way to do this?


Cheers,
Andres
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
What do you mean by "enough security"? What kinds of attacks (and which attackers) are you trying to guard against?


Ping & DNS - my free Android networking tools app
Andres Delrotti
Ranch Hand

Joined: Aug 11, 2005
Posts: 136
From hackers who could possibly bypass the login and enter the site or from XSS attacks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
If by "enter the site" you mean via HTTP, I think that risk is small if you use the container's built-in authentication mechanism to secure the web apps (and use strong passwords as well as SSL where appropriate). Against an attacker gaining system-level access (possible even root access), most bets are off, but it doesn't sound like that's the kind of threat you're concerned about.

Information about how to guard against XSS (and other web app attacks) can be found ta http://www.coderanch.com/how-to/java/SecurityFaq#web-apps.
 
jQuery in Action, 2nd edition
 
subject: Security issue on app to app communication
 
Similar Threads
Using default JAAS Mechanism in Websphere makes applications to access the context path of the other
How to integrate two web applications having two different context paths
Sending data between two webapps
Spring session timeout using IE6
Session problem!